Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sI3Cd-00CUyu-2j
	for pgsql-general@arkaria.postgresql.org; Fri, 14 Jun 2024 09:26:35 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sI3Ca-00GCAv-QV
	for pgsql-general@arkaria.postgresql.org; Fri, 14 Jun 2024 09:26:33 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <cg@osss.net>)
	id 1sHqu6-007HQy-DO
	for pgsql-general@lists.postgresql.org; Thu, 13 Jun 2024 20:18:40 +0000
Received: from ci74p00im-qukt09090502.me.com ([17.57.156.23])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <cg@osss.net>)
	id 1sHqu4-001WOp-0F
	for pgsql-general@postgresql.org; Thu, 13 Jun 2024 20:18:38 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=osss.net; s=sig1;
	t=1718309913; bh=4cKoBlU0uR1VB+M5/zGYPilWnNdwrIRwHWXeQXL2wcw=;
	h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To;
	b=sY3PGnjEFZav2STqYZX46sCvyxo5rc0e9u/n6NqgO+QEocxHlkHi59n8PoRPRCXHZ
	 1DFnePVzEkI+8h2LMU4d+C8pzsKrz1F9Q4dKCZitWfpscrRGMwLKypNTQw0qhNS07M
	 APz2596vewUZ/SbIEYZ+BM6Srkyig42sbLsK1mRgC8Hd0BM4RyY8AqdhtTrBAOfce5
	 9rMNjRHn6tKIMuT+UoERpS/7p/yelZFjEd/WAvVIm4Wx/zjDzNz8v259ZzGWO3Qm1F
	 JOYXxrV0B18hC+XJxRn49H/n6L2ol4Nd8r0ZMvM1t1l+EfwhF4axQbNcjoCP1fIduo
	 l4LpBQViT616g==
Received: from smtpclient.apple (ci77p00im-dlb-asmtp-mailmevip.me.com [17.57.156.26])
	by ci74p00im-qukt09090502.me.com (Postfix) with ESMTPSA id 44405320055E;
	Thu, 13 Jun 2024 20:18:32 +0000 (UTC)
Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\))
Subject: Re: Question about UNIX socket connections and SSL
From: Casey & Gina <cg@osss.net>
In-Reply-To: <7F34CCD8-7185-49A9-88A0-DC12D1B1CFCE@yesql.se>
Date: Thu, 13 Jun 2024 15:18:30 -0500
Cc: Tom Lane <tgl@sss.pgh.pa.us>,
 pgsql-general@postgresql.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <CB63A97A-E61D-4EE9-AF2E-7DD8109FFB21@osss.net>
References: <5EDB1F7F-569B-48B2-8DCD-44EE17D41F1A@osss.net>
 <1514893.1718219853@sss.pgh.pa.us>
 <1E2A5972-443A-4C7B-88AA-3AE5E6415381@osss.net>
 <7F34CCD8-7185-49A9-88A0-DC12D1B1CFCE@yesql.se>
To: Daniel Gustafsson <daniel@yesql.se>
X-Mailer: Apple Mail (2.3774.600.62)
X-Proofpoint-ORIG-GUID: aLpS6uDU2P9J7WfJ_oSjJ48GwbosiuKT
X-Proofpoint-GUID: aLpS6uDU2P9J7WfJ_oSjJ48GwbosiuKT
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.272,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16
 definitions=2024-06-13_13,2024-06-13_02,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0
 phishscore=0 malwarescore=0 clxscore=1030 bulkscore=0 spamscore=0
 mlxlogscore=317 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.19.0-2308100000 definitions=main-2406130145
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CB63A97A-E61D-4EE9-AF2E-7DD8109FFB21%40osss.net>
Precedence: bulk

> On Jun 13, 2024, at 6:47=E2=80=AFAM, Daniel Gustafsson =
<daniel@yesql.se> wrote:
>=20
> While not strictly that, there was a patch not too long ago for =
teaching
> postgres the PROXY protocol.

As I understand it, PROXY protocol support would be nice if one connects =
through haproxy on standalone hosts, so that postgres could show the =
originating app servers as the client_addr / client_hostname.  We used =
to have standalone host haproxies, but moved to haproxy instances on =
each app node for performance and scalability reasons (many app nodes).  =
I guess it could also help if we were to run pgbouncer on the db nodes?

We're using haproxy to route connections to the appropriate database =
nodes - RW connections go to the current master in the cluster, and RO =
are balanced between replicas.  It seems that libpq could allow SSL on =
UNIX sockets which would avoid having to utilize TCP for the local =
connections from the application to haproxy.

Is there any way to utilize sslmode=3Dverify-full through something =
routing connections to the appropriate database instances, whether =
that's with haproxy or something else?

--=20
Thanks,
- Casey=